The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

if you take ANY service and throw enough users at it, you will eventually overload the server to the point where it can no longer meaningfully process requests. even large companies google, yahoo, microsoft, amazon, akamai, etc., can not be immune to this problem.

the profile viewed is being done by UPDATing a mysql row
and the pm is being sent by INSERTing
all these UPDATE and INSERTing are being done withing 3060 minutes.
A user is doing ddos attack by overloading mysql and creating high BW. How can I stop this?

put a limit on how many PM's a person can receive? put a limit on how many PM's a person can send? log your traffic and flag and ban anyone abusing the service...such as one person viewing your profile 250k times. this isn't really a mysql issue as it is a spam prevention issue, which would be fixed on your scripting language on your server.

put a limit on how many PM's a person can receive? put a limit on how many PM's a person can send? log your traffic and flag and ban anyone abusing the service...such as one person viewing your profile 250k times. this isn't really a mysql issue as it is a spam prevention issue, which would be fixed on your scripting language on your server.

I have already a PM antiflood function which checks the time diffrence between two pms sent by same user if the time different is less then the antiflood time it does not allow to insert new pm in the database. But believe it or not it can not prevent in this type of mysql overload.

There are also system of post in froums post in chats where this attacker can apply same overloading which are protected by anti flood functions.

So any new ideas?

How can this type of overloading be done? If it will be disscussed in details here I think it will be easy for me to protect it.

well from the information provided, it seems pretty clear that your anti-flood functions aren't tight enough. anti-flood scripts are put in place to prevent this your server from overloading. your server is overloading so the anti-flood scripts aren't working. either that, or there is another issue causing this to happen.

}else{echo "<img src=\"images/notok.gif\" alt=\"X\"/>";echo "Can't Send PM to $whonick<br/><br/>";}}else{$bantime = time() + (7*24*60*60);echo "<img src=\"images/notok.gif\" alt=\"X\"/>";echo "Can't Send PM to $whonick<br/><br/>";echo "You just sent a link to one of the crapiest sites on earth<br/> The members of these sites spam here a lot, so go to that site and stay there if you don't like it here<br/> as a result of your stupid actionbr/>1. you have lost your sheild<br/>2. you have lost all your plusses<br/>3. You are BANNED!";mysql_query("INSERT INTO ibwf_penalties SET uid='".$byuid."', penalty='1', exid='1', timeto='".$bantime."', pnreas='Banned: Automatic Ban for spamming for a crap site'");mysql_query("UPDATE ibwf_users SET plusses='0', shield='0' WHERE id='".$byuid."'");mysql_query("INSERT INTO ibwf_private SET text='".$pmtext."', byuid='".$byuid."', touid='2', timesent='".$tm."'");}}else{$rema = $pmfl - $tm;echo "<img src=\"images/notok.gif\" alt=\"X\"/>";echo "Flood control: $rema Seconds<br/><br/>";}echo "<br/><br/><a href=\"inbox.php?action=main&amp;sid=$sid\">Back to inbox</a><br/>";echo "<a href=\"index.php?action=main&amp;sid=$sid\"><img src=\"images/home.gif\" alt=\"*\"/>";echo "Home</a>";echo "</p>";echo "</card>";}

ok so a user can send a PM every 30 seconds. how on earth did you get 250k PMs? if one user sent that, it took them at least 3.14 months. and even if they did go through all that trouble, 3 or 4 requests every 30 seconds won't bring any server down.

so your problem may be someone is bulk attacking you with page views. the best solution i see to this is caching.

do you have traffic logs on your server? take a look at these and see if there are times when you have a huge spike in the number of visitors you have. this would be a good indication that someone is trying to attack your server.

do some debugging. echo out your variable values as you go through your code and make sure the variables coming out are what you expect.

also, are you escaping these variables you're using in your SQL queries? i don't see where you've defined variables such as $pmtext and $byuid, but if you're not escaping these variables you may be suffering from SQL Injection.

that should be fine, but you may find a bunch of extra slashes in your data escaping quotes...if you do you might wanna do stripslashes() on the data before you do mysql_real_escape_string:

PHP Code:

$pmtext = mysql_real_escape_string(stripslashes($_POST['pmtext']);

the next place i would look is to see if there are any other ways a user can access the PM table. they might have found a loophole in one of your scripts that gives them access to send messages without this flood filter.

I have secured the script from the XSS and sql injection attack but I dont know how to proetect it from mysql overloading where there is an active antiflood function. Thats why I had to create this topic

I have secured the script from the XSS and sql injection attack but I dont how to proetect it from mysql overloading where there is an active antiflood function. Thats why I had to create this topic

i understand that, but mysql overloading is not, in itself, a security issue. no one is going to find a mysql overload exploit in your site. your database is being bogged down by more requests than it can handle. these requests originate from your PHP code. so something in your PHP code is allowing someone to brute force attack your server. so the problem we're looking for is a excerpt of code that will allow someone to bypass the anti-flood filter.

is there a specific use that is sending all the PM's? you showed the timestamps of a bunch of PM's sent in succession, but is it the same user id that's sending them all? if it is, check this user's IP, pull up your server logs and see when and what files they tried to load.

the answer is right in front of you, you just have to find it.

edit: i'm going home for the day so hopefully someone can pick up helping where i left off. good luck to you.

If that is overloading your MYSQL, then these are a few things you can do:

#1 Check your tables, they are probably wrong. (updating a big table's index?)
#2 Check your server config, (in a db with 1mill records, my updates take 0.0025 sec or less, on a really slow machine)
#3 Check your selects (your probably selecting and updating the same server in the same time, so they are waiting on each other), might want to set a master/slave setup or something.
#4 cache your selects that don't change much (use memcached or something)
#5 cache your updates in some que, if something updates to much, to fast, cache that counter and update it every 30 sec or something (set X = X + counter, instead of set X = X + 1)

But, of you just add some caching, you should be ok untill you get 50 times the traffic you get no.